Closed Bug 1740944 Opened 3 years ago Closed 3 years ago

CSP doesn't apply to Web Worker's importScript

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1320931

People

(Reporter: luan.herrera, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [domsecurity-backlog2][reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

index.html
318 bytes, text/html
Details
script.js
64 bytes, text/javascript
Details
Attached file index.html

It is possible to import external scripts from within a Web Worker using the "importScripts" function and bypass the CSP set by the page, as it isn't correctly being applied to it.

The same imported script is blocked by Chrome (due to a CSP violation).

VERSION
Version: 94.0.1 (64-bit)
Operating System: Windows 10

REPRODUCTION CASE

  1. Access https://lbherrera.github.io/lab/firefox/worker-csp-bypass-81eff3225e/index.html
  2. Check the Developer Tools for the "1337" message (sent by the web worker).

I have also attached the files used in the PoC - if you prefer, you can reproduce the attack by downloading and hosting index.html and script.js on a web server.

Flags: sec-bounty?
Attached file script.js
Group: firefox-core-security → dom-core-security
Type: task → defect
Component: Security → DOM: Security
Product: Firefox → Core

Sounds like a dupe of bug 1413492, but maybe there's a slight difference here between 'worker-src' in that bug and 'script-src' in this one. I think it's just that we don't do importScripts() right in either case.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
See Also: → 1413492
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [domsecurity-backlog2][reporter-external] [client-bounty-form] [verif?]

I was just looking at CSP in Workers anyway.

Assignee: nobody → tschuster

(In reply to Daniel Veditz [:dveditz] from comment #2)

Sounds like a dupe of bug 1413492, but maybe there's a slight difference here between 'worker-src' in that bug and 'script-src' in this one. I think it's just that we don't do importScripts() right in either case.

I agree this is basically a dupe of bug 1413492 and the even older bug 1320931 seems to encompass that as well. Interestingly enough while investigating the source code I've found a reference to bug 1223647: CSP erroneously "inherited" into dedicated workers.

The same imported script is blocked by Chrome (due to a CSP violation).

As far as I can tell Chrome doesn't apply the CSP either.

It seems like the CSP specification wanted workers to inherit at some point, but this was reverted again. The latest issue that I've found is this:

I think there is agreement now. Workers must not inherit CSP directives from the parent context, and rather use their own CSPs as delivered by their response headers.

https://github.com/w3c/webappsec-csp/issues/336

Assignee: tschuster → nobody
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

We'll clean up the "to dupe or not to dupe" situation later, but for the Bug Bounty purposes this is a known issue and is not eligible.

Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: